Installing the Time Stamp Option Pack

During the TSOP installation, the hardserver (nFast Server and any associated service dependencies) will be restarted.

To install TSOP on a supported Microsoft Windows operating system:

  1. Log in with the Administrator role or as a user with local administrator rights.

  2. Place the TSOP support software disk in the CD/DVD drive. If Autorun is enabled, the installer setup.msi runs automatically, detects the version of Windows and launches the appropriate installation program. If Autorun is not enabled, launch the installer manually.

  3. Click Next to continue.

    The installer displays the license agreement.

  4. Accept the license agreement.

    The install process will automatically detect the location of the Security World Software installation and will install alongside this.

  5. When prompted, enter the port settings for the HTTP and HTTPS protocols.

  6. Follow the installer instructions until the installation process is complete.

After you have installed the software, enable the SEE feature and, if desired, the Elliptic Curve algorithms feature, as described in the following section.

Enabling features

After TSOP is installed, enable the SEE Activation (Restricted) feature. This feature enables the TSS to perform specific tasks using the SEE.

If you are intending to use ECDSA-based keys, it will be necessary to enable the Elliptic Curve algorithms feature. For details on Elliptic Curve support on Windows 2016, see https://docs.microsoft.com/en-gb/windows/desktop/SecCNG/cng-named-elliptic-curves.

Entrust provides you with smart cards that contain the Feature Enabling Certificates for the SEE Activation (Restricted) feature and the Elliptic Curve algorithms feature.

To enable a feature using the provided smart card:

  1. Insert the Feature Enabling smart card into a smart-card reader connected to the TSS.

  2. Start the Feature Enable Tool by running the following command:

    %NFAST_HOME%\bin\fet.exe
    If you start the Feature Enable Tool without a Feature Enabling smart card from Entrust, the tool displays various options for reading a Feature Enabling certificate (FEM)
  3. Choose the option to read the FEM certificate from a smart card, and follow the onscreen instructions.

    After the feature is enabled, the system returns a success message.

    If you do not enable the SEE Activation (Restricted) feature, the TSS cannot load the SEE machine. As a result, the Operation Status page of the TSS web interface returns the error message SEE_LoadMachineFailure.
    If you do not enable the Elliptic Curve algorithms feature, it will not be possible to use ECDSA-based keys.

See the User Guide for your HSM for more information on the Feature Enable Tool.

Configuring the TSS and creating a Security World

After you have enabled the appropriate features, complete the setup process by configuring the TSS and creating a Security World.

In order to use an existing Security World, the Security World will need to have been created with the SEEDebugForAll feature enabled. In addition, SEE delegation will need to be performed. For instructions, see Joining an existing Security World.

Accessing the TSS web interface

A modern web browser, such as Microsoft Internet Explorer, Microsoft Edge, Mozilla Firefox or Google Chrome, can be used to access the TSS web interface via:

https://localhost/TSS/index.jsp

Or:

https://<tss-hostname>/TSS/index.jsp

<tss-hostname> represents the IP address or domain name server (DNS) of your TSS.

If you changed the default HTTP or HTTPS ports (see TCP/IP and UDP port access), make sure that you specify ports in URLs for the TSS web interface, before continuing with the configuration processes described in Configuring the TSS.

The default test TLS certificate for the web user interface must be replaced (see Adding a TLS certificate).

At the Administrator Login, enter the appropriate user ID and password and then click Login:

Field Security Officer Network Manager

Name

superuser

admin

Password

superuser

administrator

For security purposes, we recommend that you change the default user names and passwords as soon as possible. See Modifying or deleting users.